• Regulations

Colorado Attorney General Phil Weiser on Data Privacy


As we all know, Colorado is among those states leading the country in terms of thinking about consumer data and data privacy. The Colorado Privacy Act (CPA) is one of the leading laws blazing a trail for all of us around how states and how consumer data should be protected here in the U.S. As such, Colorado is one of the three main states that virtually every company in the country is trying to think about.

To provide some insight on what to expect from Colorado, the Day-One Keynote of the 2022 Summer Spokes Privacy Technology Conference featured Colorado Attorney General Phil Weiser.

The following are excerpts from Mr. Weiser’s comments. They have been lightly edited and quotation marks omitted for ease of readability.

Who is Philip J. Weiser?

I have been a student, a practitioner, a teacher, and scholar on the regulation of emerging technologies… I’ve been involved as a federal official, as a state official, as someone who has worked on issues from the public policy side. My true north is how do we best serve and protect consumers in the midst of technological change. Privacy is obviously a core part of this effort… I now serve as Colorado Attorney General.

After I clerked for a couple years, I went to work for Joel Klein, who was the head of the anti-trust division at the US Department of Justice (DOJ) at the time. This was at the dawn of the Internet age. It was 1996, the telecommunications act of 1996; efforts to allow commercialization of Internet technologies; and the Microsoft case involving the browser wars; and the advent of broadband.

It is in this era I was involved as a federal official and as a state official. As someone who has worked on these issues from-to the public policy side – and my true north is how do we best serve and protect consumers in the midst of this technological change – privacy is obviously a core part of this effort.

In 2009 I rejoined the federal government after a decade in academia, so I worked for Joel Klein for a couple of years and then was in the telecommunications program at the University of Colorado, whose law school founded a Center of Law Technology Entrepreneurship known as the Silicon Flatiron Center; worked as a head of the Colorado Innovation Council; worked on Obama’s transition for the Federal Trade Commission (FTC); then went to work for the DOJ; then the White House to work on issues around technology competition, innovation; and afterwards, back to Colorado where I served as  the dean of the law school for five years.

I now serve as Colorado Attorney General.

How the rubber meets the road

Technology is a core part of what I focused on, and when I ran for Attorney General the consumer protection mission and the impact of changing technology was on my mind.

As soon as I got in, we had this question about Colorado passing its own data privacy law. I’ve referred to this as a ‘second best solution.’ In the best of all worlds Congress would adopt a federal privacy law. I had worked on an effort that many – Danny Weitzner most notably – helped champion in the Obama White House: A privacy Bill of Rights concept.

The tools we have now include data security laws in Colorado which includes data breaches as well as requirements for companies to take reasonable precautions to make sure your data is protected. And now this data privacy law that we’re in the midst of implementing. We’re currently in a consultative period. We will have some public sessions coming up, and then we’re going to put out a formal rulemaking this fall.

How do we ensure the rubber hits the road in the right way and we’re actually protecting consumers?

Part of the core effort is to make sure consumers know what their rights are, have a sense of when they’re not being honored, and can let us know. How do we tell businesses what their obligations are, what they need to do, and create enough space for that compliance to happen?

This is a complicated puzzle…it’s going to take time.

We want to be thoughtful. We want to make sure that we’re focusing on what really matters. And we will make sure that we’re not being overly prescriptive in assuming there’s only one way to do something.

What can companies anticipate from the Colorado Privacy Act?

We need to allow a period for compliance and make sure we give businesses the information and tools to get into compliance and we’re not going to play games or gotcha…We’re really trying to get it right. We want to work with you.

Stage One: Over the course of the summer months, it is a more informal engagement process. If you are an actor in this ecosystem and you’re asking, what do I need to know or how do I get engaged, we have set-up a website with a comment forum to give you more visibility and a chance to be heard.

Stage Two: We will put out a call for comments with specifics for people to comment against. For example, a universal opt-out mechanism is something that’s going to get a lot of attention that we’re going to be wrestling with. Another one we want to hear from people about is the concept of  ‘dark patterns.’

This is ‘the fall process.’ The law calls on us to complete a rulemaking by May of 2023 and our vision is to finish it well in advance of that.

Stage Three: There will be an implementation period. We know that compliance is not going to necessarily happen immediately. We need to allow a period for compliance and make sure we give businesses the information and tools needed to get into compliance.

I’m interested in making sure that the enforcement we do is towards those bad actors who are willfully non-complying. The people were really trying to get it right, we want to work with you. We’re not going to play games or gotcha.

Harmonizing the States Privacy Laws

I have a lot of thoughts on harmonizing with the other states that are thinking about this. The key concept is interoperability or compatibility. If our law is interoperable and compatible with California’s, and we’ve given people tools so they can readily comply with both, then we have succeeded.

If, by contrast, our law is incompatible with some other states laws…Then we have made life impossible for companies who can’t comply with one or the other, but not both. (An extreme example would be a specific form of technology to implement certain requirements.)

It’s on us to make sure that we work with our fellow states. That we are thoughtful about how we enable sound compliance. I believe we can do that.

We need to be able to build trust and protect consumers, but also not stop development of new products that can benefit consumers and what the consumers want.

I do have a general awareness that we as enforcers need to be careful about being overly prescriptive. It’s not that I would be averse to ever seeing a need for a technological standard, but even many technological standards will leave implementation choices so that you’re not endorsing specific technologies. There’s a lot of work to be done in this area and we’d love people’s feedback on.

A federal data privacy framework is needed

What would be best is if the ideas that are getting generated through this process – the experimentation at the state level – find their way into national legislation.

There has been a cost to a lack of federal leadership in data privacy. The U.S. Government developing fair information privacy practices 1970s was the leader in data privacy. That leadership has been ceded over the last 20 years…and now we are part of an increasingly smaller list of countries that have not developed their own data privacy frameworks.

We need a federal privacy framework, and it is important that we do things based on rigor, based on careful analysis, and not be overly prescriptive from the standpoint of preventing technological development and innovation.

This brings me back to my point about the ‘second best.’ The second best we have in the U.S. is the States. But because Colorado, California, and others will have an alternative to GDPR it can enable dialogue and learning.

What would be best is if the ideas that are getting generated through this process…find their way into national legislation.

Avoid dark patterns and use privacy laws to build trust with customers

Every company knows that one of its core value propositions is trust: do customers trust you? Do your business partners trust you? Do your regulators trust you? When you engage in behavior that is unworthy of trust, that can do great damage to your brand. Think really carefully about how you approach this issue.

First advice: you’re hearing more about design thinking and user-centered design. Companies that ask ‘how does this look to the customer?’ will avoid behavior that is going to get you in trouble.

In the dark-patterns conversation, the basic point is if companies are really trying to give users awareness about their data, give them visibility on what data they have, and help them make informed choices, they are going to be more readily able to comply.

Where’s the company’s that ask the opposite question – who want to trick their users, to use data in ways that they don’t really understand and hope that they don’t notice – you’re playing a dangerous game. And it’s not only a dangerous game visa vie compliance enforcement consequences. It can do great damage to your brand.

My second piece of advice: Constant vigilance. When collecting, storing, and managing data, we’re vulnerable to all sorts of risks. No company should comfort themselves with check-box compliance. You need to develop ways in which you’re constantly vigilant and giving customers awareness because there’s a lot of room for error and mistakes.

Looking to learn more about the Colorado Privacy Act?
Contact WireWheel today and let us help you through your compliance journey.

Listen to the session audio